CrankySec

The End Is Nigh!

What a couple of weeks, eh? Everything is blowing up all the time, and folks everywhere are either resigned to live in this shit show, or losing sleep to un-shit the show because, for various reasons, the show cannot stop. How did we get here? To this point of living?

We've been discussing this for a while now, both here and over at our Discord (link below), and it feels like we're always repeating ourselves. That's because we are. We know most of the problems, and we know the solutions to most of these problems. What we don't know is how to give much of a fuck.

Every flashy cybersecurity incident that we've seen last couples of weeks was a choice. AT&T dumping call and sms records of their clients into a Snowflake instance with no authentication controls besides a username and a password was a choice. CrowdStrike being able to basically push kernel-space software without much thought was a choice. I can go on, but you know what I mean. The important thing is that these choices are being made by people who don't know any better. I'd wager that the motivation behind AT&T sending all that data to Snowflake has got absolutely nothing to do with the business of providing people with phone service. I'd also wager that the people who made that decision had no idea about the risks involved in doing so. On the same vibe, I won't even wager that the absolute majority of people who got bamboozled by CrowdStrike's "bUsInEsS dEvElOpMeNt MaNaGeRs" would be a-OK with simpler, cheaper tools, but that would be easy money for me.

So, the multi-million dollar tools that are there to protect your shit are making your shit worse. The medicine doing more harm than the disease is not how things should work. The sheer lack of understanding of the consequences of those choices is what causes these things. And, look: I'm not going to sit here and tell everyone that I "saw this coming" because I fucking did not. But it is not outside the realm of possibility to consider bad software updates a risk to operations. If you're in a situation where availability is a major concern, you might want to think twice before you yolo kernel-space shit into production. But, for that to happen, you need to understand both the things you're trying to protect, and the methods that exist right fucking now to do so.

And that's where things get tricky: good cybersecurity requires a lot of thinking, planning, understanding, and re-thinking fucking constantly, and no one's got the time or the budget for that. And, until companies are forced to find the time and the budget, they won't. Imagine if we didn't have, I don't know, building codes. Or industrial controls. Or any kind of safety standards at all? Even with those in place, sometimes shit goes sideways. Imagine if factory XYZ went "Well, turns out that mixing this with that causes things to go boom! Maybe let's not do that anymore!", and then you keep seeing shit going boom everywhere all the time because people keep mixing this with that even though it is known to be a bad idea? I won't even get too fancy here and ask people to think along the lines of "if we do what's being proposed, there's a chance this will mix with that by accident!" Baby steps.

Surely someone, somewhere would be asking the powers that be to do something about it. But we don't do that here. Not even when bad cybersecurity can absolutely cause things to literally go boom. It won't change because people don't care enough. And they should, super chiefs: because, one way or another, these things end up being paid by you. Every time you miss your flight because CrowdStruck. Every time you can't see a doctor because of ransomware. Ever time you or your loved ones fall for a scam because AT&T left your data out there protected with only a password. You're paying with your time, your money, and your sanity. The people who actually fucked up? They'll send some people a $10 gift card. Or some identity monitoring. Or some small percentage of their 12-figure revenue in class-action suit settlements.

Those things happen because we choose to let them happen. We hold all sorts of professionals accountable if they fuck up. Cybersecurity is critical, so it should be no different. If the only consequence is the CISO getting a $950,000 bonus instead of a bonus of $1,000,000, this won't change. If this doesn't change, there's no reason for this profession to exist: businesses need very little reason to stop doing something they don't want to do. If folks in this field—a field that's only getting more and more complex—won't demand change, no one will. And that's going to be the end.